Secure Sockets Layer (SSL)/Transport Layer Security (TLS) has become a popular protocol for secure communication over the Internet. A version of the SSL protocol is described in Netscape Communications Corp., Secure Sockets Layer (SSL) version 3, (November 1996). The TLS protocol is derived from SSL, and is described in Dierks, T., and Allen, C., “The TLS Protocol Version 1.0,” RFC 2246 (January 1999), available through the Internet Engineering Task Force (IETF), and is incorporated herein by reference.
An SSL/TLS session may be initiated using a SSL/TLS handshake or re-handshake protocol. A CLIENT-HELLO message may be sent from a client to a server. The CLIENT-HELLO message may include an SSL session identifier (ID), among other things. If the SSL session ID is an ID that is unknown by the server, is unassociated with a valid session, or is otherwise invalid, the server may respond with a SERVER-HELLO message which includes a different SSL session ID. The client and server may continue with the SSL/TLS handshake protocol to negotiate an encryption algorithm to be used, to exchange certificates, or the like, as described in RFC 2246. For example, the client and server may send messages, including SERVER-CERTIFICATE, SERVER-HELLO-DONE, CLIENT-KEY-EXCHANGE, CHANGE-CIPHER-SPEC, FINISHED, or the like.
If on the other hand, the SSL session ID included with the CLIENT-HELLO message is an ID that is known by the server and associated with a valid session, the client and server may then use a shortened SSL/TLS handshake protocol and may reuse cryptographic information to re-establish the SSL session. The server may respond with a SERVER-HELLO message which includes the SSL session ID. The client and server may then exchange the CHANGE-CIPHER-SPEC messages and FINISHED messages. The SSL session is then re-established.
While the re-use of the SSL session ID is useful in re-establishing the SSL session, the use of the SSL session ID may involve inefficient use of memory or other computing resources. Also, the problems associated with the use of the SSL session ID may not be easily identifiable to network administrators.